https://aneviaro.eu/posts/ Recent content in Posts on Alex Neviarouskaya Hugo -- 0.156.0 en-us Sat, 21 Feb 2026 11:19:21 +0100 https://aneviaro.eu/posts/the-hidden-risk-of-gcp-viewer-role-cross-project-disk-replication/ Sat, 21 Feb 2026 11:19:21 +0100 https://aneviaro.eu/posts/the-hidden-risk-of-gcp-viewer-role-cross-project-disk-replication/ <p><strong>TL;DR:</strong> The legacy Basic <code>roles/viewer</code> is riskier than you think. It grants <code>compute.disks.useReadOnly</code>, which allows an attacker to clone disks (even CMEK encrypted ones) into an external project, effectively removing the CMEK encryption and bypassing specific KMS permissions you would expect to prevent this.</p> <p>While Google patched the direct disk cloning bypass following my disclosure, I have discovered a new workaround using snapshots that still allows attackers to strip CMEK encryption.</p>